CLAIM AMENDMENTS 

1. (Previously Amended) A method for inoculating email infected with a virus, the 
email being composed of data packets sent over a network and associated with a traffic flow in 
the network, the method comprising: 

scanning the data packets forming the traffic flow associated with the email; 

detecting a signature of a known virus in the data packets; 

determining whether there is an attachment associated with the email; and 

altering bits of the data packet associated with the attachment in order to inoculate the 

email.. 

2. (original) The method of Claim 1 wherein altering the bits entails setting all the bits 
associated with the data packet to a predetermined value. 

3. (original) The method of Claim 1 wherein the method is performed by a content 
processor in a network device operating at wire speed. 

4. (original) The method of Claim 1 wherein the signature is detected in the text of the 

email. 

5. (original) The method of Claim 4 wherein the signature is ASCII text. 

6. (original) The method of Claim 1 wherein the signature is a binary signature located in 
the attachment. 

7. (original) The method of Claim 1 wherein the signature is stored in a memory, the 
memory holding a database of known signatures. 

8. (original) The method of Claim 7 wherein a new virus signature is added by loading 
the new virus signature into the database of new signatures. 
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9. (original) The method of Claim 1 further comprising before scanning the data 
packets, identifying the data packets as containing email. 

10. (original) A network device for scanning and inoculating email infected with 
a virus, the email being composed of data packets sent over a network and associated with 
a traffic flow in the network, the network device comprising: 

memory storing a database of known signatures, the known signatures 
including signatures of viruses; 

a content processor connected to the memory, the content processor operable to 
scan the data packets and determine whether the contents of the data packets match one 
of the signatures of viruses in the database of known signatures, and to determ^ine 
whether the email associated with the data packets includes an attachment, the content 
processor further operable to alter bits of the data packets forming the attachment, 
thereby inoculating the attachment and the email. 

11. (original) The network device of Claim 10 wherein the content scanning engine is 
able to scan across multiple data packets by storing intermediate conclusions in a session 
memory. 

12. (original) The network device of Claim 10 wherein the content processor is formed 
by a queue engine operable to reorder out of order data packets, a content scanning engine 
operable to scan the data packets, and a context engine operable to schedule data packets for 
scanning by the content scanning engine. 

13. (original) The network device of Claim 10 wherein the traffic flow is identified by a 
unique session id. 

14. (original) The network device of Claim 10 further comprising a quality of service 
processor connected to the content processor and operable to schedule the transmission of the 
data packets onto the network. 
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15. (original) The network device of Claim 10 wherein the content scanning engine is able to 
match signatures of arbitrary length, scan across boundaries of the data packets, and begin and 
end scanning anywhere within the data packet. 

16. (original) The network device of Claim 10 further comprising a host processor in 
communication with the content processor, the host processor operable to compile the database of known 
signatures and cause it to be loaded into the memory. 

17. (original) The network device of Claim 16 wherein a new virus signature is added by 
creating a new database of known signatures, recompiling the new database in the host processor, and 
loading the new database of known signatures into the memory. 

18. (original) The network device of Claim 16 wherein a new virus signature is added by 
loading the new virus signature directly into the database of known signatures. 



